HP-UX Host Intrusion Detection System Version 4.7 Administrator Guide HP-UX 11i v3 (766144-001, March 2014)

ManualsBrandsHP ManualsSoftwareHP-UX Host Intrusion Detection System Software

111

112

113

114

115

116

117

118

119

120

Execute on Stack

Table 13 lists the alerts that this template generates and forwards to a response program when an

execute-on-stack condition is detected by the HP-UX 11i kernel.

Table 13 Execute on Stack Alert Properties

DescriptionAlert Value/FormatAlert

Field

Type

Alert FieldResponse

Program

Argument

Unique code assigned to the template0IntegerTemplate codeargv[1]

Version of the template<version>IntegerVersionargv[2]

Alert severity1IntegerSeverityargv[3]

UTC time in number of seconds since

epoch when execute-on-stack was

detected

<secs>IntegerUTC Timeargv[4]

The user ID, group ID, process ID, and

parent process ID of the process that

attempted to execute on its stack

uid=<uid>, gid=<gid>,

pid=<pid>, ppid=<ppid>

StringAttackerargv[5]

The full pathname of the program the

attacker was running when attempting

program=<full pathname>,

type=<type>, mode=<mode>,

StringTarget of Attackargv[6]

to execute off the stack and the

uid=<uid>,gid=<gid>,

program’s type, mode, uid, gid,

inode, and device number

inode=<inode>,device=<device>

Alert summaryBuffer overflow detectedStringSummaryargv[7]

Detailed alert descriptionBuffer overflow detected by

kernel for process with pid

StringDetailsargv[8]

<pid> and ppid <ppid> when

executing <program>(type=

<type>, inode=<inode>,

device=<device), invoked with

<args>

The event that triggered the alert.nullStringEventargv[9]

NOTE: See Table 41 (page 150) in Appendix B for the definition of additional arguments that

can be used to access specific alert information (for example, pid and ppid) without parsing the

string alert fields.

Unusual Argument Length

Table A-4 lists the alert properties that the Buffer Overflow template generates, and forwards to a

response program setuid when a privileged setuid program is invoked with an argument

equal to or greater than the unusual_arg_len property value.

Table 14 Unusual Argument Length Alert Properties

DescriptionAlert Value/FormatAlert Field

Type

Alert FieldResponse Program

Argument

Unique code assigned to

template

0IntegerTemplate codeargv[1]

Version of the template<version>IntegerVersionargv[2]

Alert severity1IntegerSeverityargv[3]

UTC time in number of

seconds since the epoch when

<secs>IntegerUTC Timeargv[4]

a privileged setuid program

Buffer Overflow Template 113